PkgSeer

How we calculate package quality scores

Choosing the right npm package shouldn't be a gamble. Our transparent scoring system evaluates packages across four critical dimensions—Security, Maintenance, Dependencies, and Popularity—giving you a complete picture of package health at a glance.

Every score is calculated using objective, verifiable data from npm, GitHub, and security databases. We show you exactly how we arrived at each grade, including the weights, observed values, and contributions of individual metrics. No black boxes, no guesswork—just clear, actionable insights to help you make confident dependency decisions.

We currently run 8 live checks across 4 categories.

Overall score calculation

We combine weighted scores for each category to produce the package's overall grade.

30%

Security

25%

Maintenance

20%

Dependencies

15%

Popularity

Grade assignment

A 85-100
B 70-84
C 55-69
D 40-54
F 0-19

Security

Evaluates known vulnerabilities and security advisories so you can assess install risk.

30% weight 2 live checks

Rule breakdown

Current vulnerabilities

Live metric

Penalties for current vulnerabilities affecting the package and all transitive dependencies: Critical (-25), High (-15), Medium (-8), Low (-3) per vulnerability.

Rule ID: security-vulnerabilities

  • Base score

    All packages begin with 100 security points before deductions.

    100 points

  • Critical vulnerabilities

    -25 points

  • High vulnerabilities

    -15 points

  • Medium vulnerabilities

    -8 points

  • Low vulnerabilities

    -3 points

Historical vulnerabilities (published during last year)

Live metric

Penalties for vulnerabilities published during the last year (historical). Penalties are weighted at 40% of normal values to reflect past risk: Critical (-10), High (-6), Medium (-3.2), Low (-1.2) per vulnerability.

Rule ID: security-historical-vulnerabilities

  • Critical vulnerabilities (published during last year)

    -10 points

  • High vulnerabilities (published during last year)

    -6 points

  • Medium vulnerabilities (published during last year)

    -3 points

  • Low vulnerabilities (published during last year)

    -1 points

Data sources

npm audit advisories GitHub Security Advisories Snyk vulnerability feeds

Maintenance

Measures how actively the package is updated through release cadence and commit activity.

25% weight 2 live checks

Rule breakdown

Days since last update

Live metric

Scores how recently the package published a release, rewarding projects that ship updates more frequently.

Rule ID: maintenance-last-release-recency

  • Updated within the last month (≤30 days)

    100 points

  • Updated within the last quarter (31-90 days)

    80 points

  • Updated within six months (91-180 days)

    60 points

  • Updated within the last year (181-365 days)

    40 points

  • No release in over a year

    20 points

Release frequency

Live metric

Counts releases over the last year to distinguish actively maintained packages from those that rarely publish updates.

Rule ID: maintenance-release-frequency

  • Weekly releases (52+ per year)

    100 points

  • Monthly releases (12-51 per year)

    80 points

  • Quarterly releases (4-11 per year)

    60 points

  • At least one release in the last year

    40 points

  • No releases recorded in the last year

    20 points

Data sources

npm registry publish history GitHub releases GitHub commit activity

Dependencies

Highlights the size, freshness, and risk of the package's dependency tree.

20% weight 3 live checks

Rule breakdown

Total dependencies

Live metric

Measures how many direct dependencies the latest release declares; smaller graphs suggest easier maintenance.

Rule ID: dependencies-total-count

  • No transitive dependencies

    100 points

  • Lean graph (1-25 packages)

    100 points

  • Moderate footprint (26-75 packages)

    90 points

  • Noticeable surface (76-150 packages)

    80 points

  • Large surface (151-300 packages)

    60 points

  • Very large surface (301-600 packages)

    40 points

  • Extremely large surface (601+ packages)

    20 points

Outdated dependencies

Live metric

Rewards packages that keep their dependency graph on the latest releases and highlights major version gaps.

Rule ID: dependencies-outdated-dependencies

  • All dependencies up-to-date

    Start at 100. No penalties for outdated dependencies.

    100 points

  • Major updates available

    -10 points per dependency behind by major version

    -10 points

  • Minor updates available

    -2 points per dependency behind by minor/patch versions

    -2 points

Deprecated dependencies

Live metric

Flags when dependency versions are marked as deprecated by the registry.

Rule ID: dependencies-deprecated-dependencies

  • Base score

    All packages begin with 100 points before deductions.

    100 points

  • Deprecated dependencies

    -15 points per deprecated dependency.

    -15 points

Data sources

package.json dependency lists Resolved version metadata PkgSeer dependency graph

Popularity

Captures adoption signals from the community, including downloads and social proof.

15% weight 1 live checks

Rule breakdown

Weekly downloads

Live metric

Estimates weekly downloads from monthly telemetry to gauge overall adoption.

Rule ID: popularity-weekly-downloads

  • 10M+ weekly downloads

    100 points

  • 1M-10M weekly downloads

    90 points

  • 100K-1M weekly downloads

    80 points

  • 10K-100K weekly downloads

    60 points

  • 1K-10K weekly downloads

    40 points

  • Fewer than 1K weekly downloads

    20 points

Data sources

npm download statistics GitHub stars and watchers Community engagement signals